Hello *,
I am currently dealing with a problem in a third-party application
using openldap to retrieve CRLs. We are evaluating this piece of
software for possible vulnerabilities. One of the risk arises from
a possible DoS-attack involving the aforementioned CRL-retrieval.
Our scenario involves an attacker being able to hijack the LDAP-
server delivering the CRLs and replacing the actual LDAP-application
by a hand-crafted one which accepts connection attempts on port 389
and then does nothing. As a result the application being evaluated
is rendered unusable stalling forever while trying to download the
CRL.
The reason for this behavior is the function call
ldap_simple_bind_s() being used to connect to the server. While we
are able to control the actual tcp connect and the retrieval of the
CRL using LDAP_OPT_NETWORK_TIMEOUT and LDAP_OPT_TIMEOUT, there
seems no option to use something like a ldap_bind_st()- function.
A mailinglist-entry back from 2002 suggested the implementation
of a custom ldap_bind_st()-function, which I did using ldap_bind()
and ldap_result(). Yet, me efforts were in vain as I could not
retrieve the ld_error-member from LDAP-structure since it's an
opaque struct. I finally ended up with a custom function which
essentially does what I want, but I cannot figure out if it's due
to a bind-timeout or some other reason since ldap_result()
returns -1 on failure and 0 otherwise, not the actual error code.
Bottom line is, I'm back where I started: wondering why there is
no such a function in openldap *and* if is there any chance
getting the one that I wrote -- it's added below -- upstream. I
know that ldap_bind_s is deprecated in favour of ldap_sasl_bind_s
which I could also extend by a ldap_sasl_bind_st function, but I
do not want to put any more effort in something being deemed to
fail from the start.
To sum it up: any chance to get this upstream?
Cheers
Thomas
diff --git a/include/ldap.h b/include/ldap.h
index 3f0c1c4..dc3a48c 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -1270,6 +1270,15 @@ ldap_bind_s LDAP_P(( /* deprecated, use ldap_sasl_bind_s */
LDAP_CONST char *cred,
int authmethod ));
+LDAP_F( int )
+ldap_bind_st LDAP_P((
+ LDAP *ld,
+ LDAP_CONST char *who,
+ LDAP_CONST char *cred,
+ int authmethod,
+ struct timeval *timeout,
+ LDAPMessage **result ));
+
/*
* in sbind.c:
*/
diff --git a/libraries/libldap/bind.c b/libraries/libldap/bind.c
index 875bd69..303ead1 100644
--- a/libraries/libldap/bind.c
+++ b/libraries/libldap/bind.c
@@ -125,3 +125,32 @@ ldap_bind_s(
return( ld->ld_errno = LDAP_AUTH_UNKNOWN );
}
}
+
+int ldap_bind_st(
+ LDAP *ld,
+ LDAP_CONST char *dn,
+ LDAP_CONST char *passwd,
+ int authmethod,
+ struct timeval *timeout,
+ LDAPMessage **res )
+{
+ int msgid;
+
+ *res = NULL;
+
+ Debug( LDAP_DEBUG_TRACE, "ldap_bind_st\n", 0, 0, 0 );
+
+ if ( (msgid = ldap_bind( ld, dn, passwd, authmethod )) == -1 )
+ return( ld->ld_errno );
+
+ if ( ldap_result( ld, msgid, LDAP_MSG_ALL, timeout, res ) == -1 || !*res )
+ return( ld->ld_errno );
+
+ if ( ld->ld_errno == LDAP_TIMEOUT ) {
+ (void) ldap_abandon( ld, msgid );
+ ld->ld_errno = LDAP_TIMEOUT;
+ return( ld->ld_errno );
+ }
+
+ return( ldap_result2error( ld, *res, 0 ) );
+}